diff --git a/clusters/botnet.json b/clusters/botnet.json
index dd9f867..df6dea5 100644
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@@ -1364,7 +1364,26 @@
       ],
       "uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
       "value": "Qbot"
+    },
+    {
+      "description": "This malware is characterized by alternative DNS connections and connects to several *.lib domains using custom DNS servers.",
+      "meta": {
+        "refs": [
+          "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "variant-of"
+        }
+      ],
+      "uuid": "505c6a54-a701-4a4b-85d4-0f2038b7b46a",
+      "value": "Dark.IoT"
     }
   ],
-  "version": 27
+  "version": 28
 }
diff --git a/clusters/cryptominers.json b/clusters/cryptominers.json
index 91a3bcf..b878640 100644
--- a/clusters/cryptominers.json
+++ b/clusters/cryptominers.json
@@ -62,7 +62,17 @@
       },
       "uuid": "a0c0ab05-c390-425c-9311-f64bf7ca9145",
       "value": "Krane"
+    },
+    {
+      "description": "“Hezb”, which is based on command line artifact data, was observed around Kinsing. This malware is relatively new and was recently reported in late May exploiting WSO2 RCE (CVE-2022-29464) in the wild. Several malware components were observed, the first of which was an XMRig miner installed as “Hezb”. Additional modules included a polkit exploit for privilege escalation as well as a zero-detection ELF payload named “kik”.",
+      "meta": {
+        "refs": [
+          "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/"
+        ]
+      },
+      "uuid": "428bbf01-7756-48a2-848d-6bca3997f1df",
+      "value": "Hezb"
     }
   ],
-  "version": 2
+  "version": 3
 }
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index b8f79d5..eca2ed9 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -24589,7 +24589,20 @@
       },
       "uuid": "995c3772-dbda-4a2a-9e28-c47740d599a3",
       "value": "Maui ransomware"
+    },
+    {
+      "description": "Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems.",
+      "meta": {
+        "ransomnotes-refs": [
+          "https://marvel-b1-cdn.bc0a.com/f00000000241276/arcticwolf.com/wp-content/uploads/2022/09/Screen-Shot-2022-09-12-at-11.18.04-AM-1024x246.png"
+        ],
+        "refs": [
+          "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/"
+        ]
+      },
+      "uuid": "d513199e-7f21-43fd-9610-ed708c3f6409",
+      "value": "Lorenz Ransomware"
     }
   ],
-  "version": 107
+  "version": 108
 }
diff --git a/clusters/rat.json b/clusters/rat.json
index dd42ee5..c87ed04 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -1941,7 +1941,8 @@
         "date": "2005 or 2008",
         "refs": [
           "https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/",
-          "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX"
+          "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX",
+          "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
         ],
         "synonyms": [
           "Korplug",
@@ -3536,5 +3537,5 @@
       "value": "Ragnatela"
     }
   ],
-  "version": 39
+  "version": 40
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index 64d3048..67d5739 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8570,7 +8570,39 @@
       },
       "uuid": "0bdb6f1c-1229-4556-a535-7444ddfbd7a9",
       "value": "GootLoader"
+    },
+    {
+      "description": "BumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and slaver application, respectively in the malware’s jargon). Once the client application is deployed on the target computer (these are commonly local government devices), threat actors can control the machine using the server module. Let us take a deeper look into this backdoor.",
+      "meta": {
+        "refs": [
+          "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html"
+        ],
+        "type": [
+          "backdoor"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "related-to"
+        }
+      ],
+      "uuid": "6fc4beee-b922-4d25-833d-8fb574a3c56e",
+      "value": "BumbleBee"
+    },
+    {
+      "description": "Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Benign in itself, but used by threat actors.",
+      "meta": {
+        "refs": [
+          "https://github.com/jpillora/chisel"
+        ]
+      },
+      "uuid": "f493dede-9134-44db-a00d-aa4866bfd555",
+      "value": "Chisel"
     }
   ],
-  "version": 153
+  "version": 155
 }